article header

MSBlast aka Lovesan – Throwback Tech Thursday

It was August 2003. An exciting month in stargazing, sport, and a strange one for tech. Cristiano Ronaldo as an 18-year old made his debut for Manchester United in their 4-0 victory over Bolton Wanderers. And Mars was the closest it’s been to earth in more than 60,000 years. August 11, 2003, is historically famous for a tech reason though. This was the day that MSBlast was first noticed and started to spread.

MSBlast, aka the Blaster Worm and Lovesan, was a virus that targeted Windows XP and Windows 2000. This was a fast-spreading worm that spread quickly through networks. Unlike previous worms like Nimda and Slammer, this one also focused on home users.

It’s said that MSBlast was created when “security researchers from the Chinese group Xfocus reverse engineered the original Microsoft patch that allowed for execution of the attack.” To spread, the worm exploited a Microsoft security buffer overflow flaw. According to wiki, this was discovered by the”Polish security research group Last Stage of Delirium in the DCOM RPC (Remote Procedure Call) service on the affected operating systems, for which a patch had been released one month earlier in MS03-026 and later in MS03-039. This allowed the worm to spread without users opening attachments simply by spamming itself to large numbers of random IP addresses.”

MSBlast Symptoms

The main symptom of infection from this worm was the shutting down of the computer due to a crash of the RPC. A message would appear explaining that the system was going to restart due to the unexpected termination of the RPC.

MSBlast was also referred to as “Lovesan” because the MSBlast.exe file contained two messages. The first one read, “I just want to say LOVE YOU SAN!!”. The second message read, “billy gates why do you make this possible ? Stop making money and fix your software!!” (as seen in this blog’s image above).

According to CNET, more than 16 million computers were affected by MSBlast. Another source estimates that the costs associated with the attack amounted to circa $320 million.